The (tiny) attached patch to trunk uses unsafe functions in uncontroversial parts of the Buffer module. In all instances, the accesses are already checked by the logic of the Buffer module prior to the unsafe function being called.

I have avoided unsafe functions in complicated or infrequently called parts of Buffer, like the resize function.

As a side note, it's not 100% straightforward that the calls to blit in add_substring and add_string are safe. I'm thinking about possible integer overflow when computing new_position (leading to a negative value for new_position which does not trigger resizing). I think it is fine because of the limit on the maximum string length, but one needs to be careful (I've heard about a variant of the OCaml runtime developed by OCamlPro which gets rid of the limit on string lenths).